Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)
At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote: Title: Special Kurt's Closet: Is SSL dead? Resource Type: News letter Date: Semptember 30, 1999 Source: Security Portal Author: Kurt Seifried Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL Abstract/Summary: The title is a bit scary, but I wanted to get your attention (worked, didn't it?). Most security experts have been aware of problems with SSL, but generally speaking we haven't said much because there wasn't much of a replacement available for it, and it hasn't been exploited extensively (chances are it will be, though). I'll start with an explanation of the basic attack, followed by some methods to protect yourself, and finish with an interview with Dale Peterson of DigitalBond and the summary. How to do it Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy. I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8. Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one. Original URL: http://securityportal.com/closet/closet19990930.html Added: Wed Oct 6 12:41:14 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
RE: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)
This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT. It was fixed in SSL 3.0, that must be almost three years ago. The server certificate now binds the public key to a specific Web server address. Phill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hettinga Sent: Wednesday, October 06, 1999 4:22 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.) At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote: Title: Special Kurt's Closet: Is SSL dead? Resource Type: News letter Date: Semptember 30, 1999 Source: Security Portal Author: Kurt Seifried Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL Abstract/Summary: The title is a bit scary, but I wanted to get your attention (worked, didn't it?). Most security experts have been aware of problems with SSL, but generally speaking we haven't said much because there wasn't much of a replacement available for it, and it hasn't been exploited extensively (chances are it will be, though). I'll start with an explanation of the basic attack, followed by some methods to protect yourself, and finish with an interview with Dale Peterson of DigitalBond and the summary. How to do it Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy. I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8. Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one. Original URL: http://securityportal.com/closet/closet19990930.html Added: Wed Oct 6 12:41:14 -040 1999 Contributed by: Keeffee - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' For help on using this list (especially unsubscribing), send a message to "[EMAIL PROTECTED]" with one line of text: "help".
RE: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)
At 07:35 PM 10/6/99 -0400, Phillip Hallam-Baker wrote: This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT. It was fixed in SSL 3.0, that must be almost three years ago. That's not the big issue here. Server-spoofing is not fully prevented by any version of SSL. The problem is in how the typical user interacts with the system. There are many ways the user can be tricked by what he sees into believing he is interacting with a trustworthy familiar site, when in fact the site is a malicious imposter or site-in-the-middle. Changing the DNS binding is certainly not the only way to do it. The server certificate now binds the public key to a specific Web server address. Phill The point is that none of this binding matters if the user doesn't know if the Web server address is correct. SSL alone just can't solve this problem. While you may not consider this to be "a problem with SSL", many people have unrealistic expectations of what SSL or any similar cert-based protocol can and cannot do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hettinga Sent: Wednesday, October 06, 1999 4:22 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.) At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote: Title: Special Kurt's Closet: Is SSL dead? Resource Type: News letter Date: Semptember 30, 1999 Source: Security Portal Author: Kurt Seifried Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL Abstract/Summary: The title is a bit scary, but I wanted to get your attention (worked, didn't it?). Most security experts have been aware of problems with SSL, but generally speaking we haven't said much because there wasn't much of a replacement available for it, and it hasn't been exploited extensively (chances are it will be, though). I'll start with an explanation of the basic attack, followed by some methods to protect yourself, and finish with an interview with Dale Peterson of DigitalBond and the summary. How to do it Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy. I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8. Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one. Original URL: http://securityportal.com/closet/closet19990930.html Added: Wed Oct 6 12:41:14 -040 1999 Contributed by: Keeffee David P. Jablon [EMAIL PROTECTED] www.IntegritySciences.com